Merge branch 'certbot_cleanup' into 'develop'

Let's Encrypt: auto cleanup & ECC

Closes #5226, #6563, and #6746

See merge request ispconfig/ispconfig3!1937

Author: Till Brehm

install/lib/installer_base.lib.php

@@ -142,6 +142,11 @@ vhost_proxy_protocol_enabled=n
 vhost_proxy_protocol_protocols=ipv4
 vhost_proxy_protocol_http_port=880
 vhost_proxy_protocol_https_port=8443
+le_signature_type=ECDSA
+le_delete_on_site_remove=y
+le_auto_cleanup=y
+le_revoke_before_delete=y
+le_auto_cleanup_denylist=[server_name]
 
 [dns]
 bind_user=root

install/tpl/server.ini.master

@@ -278,5 +278,115 @@ function _wildcard_limit() {
 		return true; // admin may always add wildcard domain
 	}
 
+	/**
+	 * Parses $expression to check if it is a valid shell glob pattern.
+	 * Does not support extended glob matching syntax.
+	 *
+	 * @see https://www.gnu.org/software/bash/manual/html_node/Pattern-Matching.html
+	 * @param string $expression
+	 * @param string $allowed_chars regexp of allowed characters in expression. ? and * are always allowed
+	 * @param string|null $allowed_brace_chars regexp of allowed characters in brace ([...]). Dash is always allowed. If empty, then $allowed_chars will be used
+	 * @return bool
+	 */
+	private function validate_glob($expression, $allowed_chars = '/^.$/u', $allowed_brace_chars = null) {
+		$escaping = false;
+		$in_brace = false;
+		$brace_content = [];
+		$chars = preg_split('//u', $expression, -1, PREG_SPLIT_NO_EMPTY);
+		foreach($chars as $i => $c) {
+			if($in_brace) {
+				// the first char after brace start can be a ].
+				if(($c == ']' && empty($brace_content)) || $c != ']') {
+					$brace_content[] = $c;
+				} else {
+					$in_brace = false;
+					$last_is_dash = false;
+					foreach($brace_content as $bi => $bc) {
+						// dashes are always allowed
+						if($bc == '-') {
+							// ... but we consider consecutive dashes as invalid
+							if($last_is_dash) {
+								return false;
+							}
+							// ... and need to validate it as allowed char when it is first or last
+							if(($bi == 0 || $bi == count($brace_content) - 1) && !preg_match($allowed_brace_chars ?: $allowed_chars, '-')) {
+								return false;
+							}
+							$last_is_dash = true;
+						} else {
+							$last_is_dash = false;
+							// negate chars are always allowed
+							if($bi == 0 && ($bc == '^' || $bc == '!') && count($brace_content) > 1) {
+								continue;
+							}
+							if(!preg_match($allowed_brace_chars ?: $allowed_chars, $bc)) {
+								return false;
+							}
+						}
+					}
+				}
+			} else {
+				$peek = $i == count($chars) - 1 ? '' : $chars[$i + 1];
+				if($c == '\\' && in_array($peek, ['[', ']', '*', '?'])) {
+					$escaping = true;
+					continue;
+				} elseif($c == '[' && !$escaping) {
+					$in_brace = true;
+					$brace_content = [];
+				} elseif($escaping || ($c != '?' && $c != '*')) {
+					if(!preg_match($allowed_chars, $c)) {
+						return false;
+					}
+				}
+				$escaping = false;
+			}
+		}
+		return !$in_brace && !$escaping;
+	}
+
+	/**
+	 * Validates that input is a comma separated list of domain globs.
+	 * Can be used for fnmatch() as input.
+	 */
+	function domain_glob_list($field_name, $field_value, $validator) {
+		global $app;
+		$allowempty = $validator['allowempty'] ?: 'n';
+		$exceptions = $validator['exceptions'] ?: [];
+		$allow_exception_as_substring = $validator['allow_exception_as_substring'] ?: 'y';
+		if(!$field_value) {
+			if($allowempty == 'y') {
+				return '';
+			}
+			return $this->get_error($validator['errmsg']);
+		}
+		$parts = explode(',', $field_value);
+		foreach($parts as $part) {
+			$part = trim($part);
+			// an empty part means there is a stray comma
+			if(empty($part)) {
+				return $this->get_error($validator['errmsg']);
+			}
+			// allow list placeholders that you will replace with real values at evaluation
+			if(in_array($part, $exceptions, true)) {
+				continue;
+			}
+			// optionally do not allow placeholders to be part of an expression
+			if($allow_exception_as_substring == 'n') {
+				foreach($exceptions as $exception) {
+					if(strpos($part, $exception) !== false) {
+						return $this->get_error($validator['errmsg']);
+					}
+				}
+			}
+			// A domain glob needs to:
+			// * be a valid glob with only a-z0-9._- as characters
+			// * have at least one dot in it
+			// * not have two consecutive dots
+			if(!$this->validate_glob($part, '/^[a-z0-9._-]$/ui') || strpos($part, '.') === false || strpos($part, '..') !== false) {
+				return $this->get_error($validator['errmsg']);
+			}
+		}
+		return '';
+	}
 
 }

interface/lib/classes/validate_domain.inc.php

@@ -574,15 +574,6 @@
 			'default' => '2048',
 			'value' => array('1024' => 'weak (1024)', '2048' => 'normal (2048)', '4096' => 'strong (4096)')
 		),
-        'relayhost_password' => array(
-            'datatype' => 'VARCHAR',
-            'formtype' => 'TEXT',
-            'default' => '',
-            'value' => '',
-            'width' => '40',
-            'maxlength' => '255'
-        ),
-
 		'pop3_imap_daemon' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
@@ -1642,6 +1633,49 @@
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'le_signature_type' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'SELECT',
+			'default' => 'ECDSA',
+			'value' => array('RSA' => 'RSA (RSA encryption with SHA-256)', 'ECDSA' => 'ECDSA (Elliptic Curve Digital Signature Algorithm)')
+		),
+		'le_delete_on_site_remove' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
+		'le_auto_cleanup' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
+		'le_auto_cleanup_denylist' => array(
+			'validators' => array(
+				array (
+					'type' => 'CUSTOM',
+					'class' => 'validate_domain',
+					'function' => 'domain_glob_list',
+					'allowempty' => 'y',
+					'exceptions' => array('[server_name]'),
+					'allow_exception_as_substring' => 'n',
+					'errmsg'=> 'le_auto_cleanup_denylist_error_custom'
+				),
+			),
+			'datatype' => 'VARCHAR',
+			'formtype' => 'TEXT',
+			'default' => '[server_name]',
+			'value' => '',
+			'width' => '40',
+			'maxlength' => '255'
+		),
+		'le_revoke_before_delete' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
 		//#################################
 		// END Datatable fields
 		//#################################

interface/web/admin/form/server_config.tform.php

@@ -363,3 +363,10 @@ $wb['sysbackup_copies_txt'] = 'Número de copias de seguridad del sistema';
 $wb['sysbackup_copies_error_empty'] = 'El número de copias de seguridad del sistema no debe estar vacío';
 $wb['sysbackup_copies_error_regex'] = 'El número de copias de seguridad del sistema debe ser un número entre 1 y 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = desactivado)';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';

interface/web/admin/lib/lang/ar_server_config.lng

@@ -363,3 +363,10 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';

interface/web/admin/lib/lang/bg_server_config.lng

@@ -364,3 +364,10 @@ $wb['sysbackup_copies_error_empty'] = 'O número de copias de seguridad do siste
 $wb['sysbackup_copies_error_regex'] = 'O número de copias de seguridad do sistema deve ser um número entre 1 e 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = desativado)';
 
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';

interface/web/admin/lib/lang/br_server_config.lng

@@ -363,3 +363,10 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';

interface/web/admin/lib/lang/ca_server_config.lng

@@ -52,13 +52,8 @@ $wb['relayhost_txt'] = '中继主机';
 $wb['relayhost_user_txt'] = '中继主机用户名';
 $wb['relayhost_password_txt'] = '中继主机密码';
 $wb['reject_sender_login_mismatch_txt'] = '拒绝发件人和登录用户不匹配';
-$wb['reject_unknown_txt'] = '拒绝未知主机名';
-$wb['tooltip_reject_unknown_txt'] = '需要主机名通过DNS检查。对经过身份验证的用户不进行检查。';
 $wb['reject_unknown_txt'] = '拒绝未知的helo主机名';
 $wb['tooltip_reject_unknown_txt'] = '需要主机名通过DNS检测。对已认证用户不进行检查。';
-$wb['reject_unknown_helo_txt'] = '拒绝未知的 helo 主机名';
-$wb['reject_unknown_client_txt'] = '拒绝未知的客户端主机名';
-$wb['reject_unknown_client_helo_txt'] = '拒绝未知的helo和客户端主机名';
 $wb['reject_unknown_helo_txt'] = '拒绝未知的helo主机名';
 $wb['reject_unknown_client_txt'] = '拒绝未知的客户端主机名';
 $wb['reject_unknown_client_helo_txt'] = '拒绝未知的helo和客户端主机名';
@@ -241,13 +236,12 @@ $wb['overquota_db_notify_threshold_txt'] = 'DB配额警告使用水平';
 $wb['overquota_db_notify_admin_txt'] = '向管理员发送DB配额警告';
 $wb['overquota_db_notify_reseller_txt'] = '向经销商发送DB配额警告';
 $wb['overquota_db_notify_client_txt'] = '向客户发送DB配额警告';
-$wb['monitor_system_updates_txt'] = '检查Linux更新';
+$wb['monitor_system_updates_txt'] = '检查 Linux 更新';
 $wb['php_handler_txt'] = '默认的 PHP 处理器';
 $wb['php_fpm_default_chroot_txt'] = '默认的 PHP-FPM chroot';
 $wb['php_fpm_incron_reload_txt'] = '安装 incron 触发器文件以重新加载 PHP-FPM';
 $wb['disabled_txt'] = '已禁用';
 $wb['dkim_strength_txt'] = 'DKIM 强度';
-$wb['monitor_system_updates_txt'] = '检查 Linux 更新';
 $wb['invalid_apache_user_txt'] = '无效的 Apache 用户。';
 $wb['invalid_apache_group_txt'] = '无效的 Apache 组。';
 $wb['backup_dir_error_regex'] = '无效的备份目录。';
@@ -363,3 +357,16 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['dkim_path_txt'] = 'DKIM Path';
+$wb['bind_zonefiles_masterprefix_txt'] = 'BIND master zonefiles prefix';
+$wb['bind_zonefiles_slaveprefix_txt'] = 'BIND slave zonefiles prefix';
+$wb['bind_zonefiles_masterprefix_error_regex'] = 'Invalid BIND zonefiles master prefix.';
+$wb['bind_zonefiles_slaveprefix_error_regex'] = 'Invalid BIND zonefiles slave prefix.';
+$wb['vhost_proxy_protocol_protocols_txt'] = 'Use PROXY Protocol on';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';

interface/web/admin/lib/lang/cn_server_config.lng

@@ -150,7 +150,7 @@ $wb['php_fpm_socket_dir_error_empty'] = 'PHP-FPM adresář pro socket je prázdn
 $wb['try_rescue_txt'] = 'Povolit monitorování služeb a restartovat při selhání';
 $wb['do_not_try_rescue_mysql_txt'] = 'Zakázat MySQL monitorování';
 $wb['do_not_try_rescue_mail_txt'] = 'Zakázat E-mail monitorování';
-$wb['rescue_description_txt'] = '<b>Informace:</b> Pokud chcete např. vypnout MySQL službu zatrhněte políčko \"Zakázat MySQL monitorování\" změna se provede do 2-3 minut.<br>Pokud nepočkáte 2-3 minuty, monitorování nastartuje službu MySQL automaticky znovu !';
+$wb['rescue_description_txt'] = '<b>Informace:</b> Pokud chcete např. vypnout MySQL službu zatrhněte políčko "Zakázat MySQL monitorování" změna se provede do 2-3 minut.<br>Pokud nepočkáte 2-3 minuty, monitorování nastartuje službu MySQL automaticky znovu !';
 $wb['enable_sni_txt'] = 'Aktivovat SNI (Server Name Indication)';
 $wb['do_not_try_rescue_httpd_txt'] = 'Zakázat HTTPD monitorování';
 $wb['set_folder_permissions_on_update_txt'] = 'Nastavení oprávnění složky při aktualizaci';
@@ -363,3 +363,10 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';
+$wb['le_delete_on_site_remove_txt'] = 'Delete Let\'s Encrypt certificate on website removal';
+$wb['le_revoke_before_delete_txt'] = 'Revoke a certificate before deleting it (prevents Let\'s Encrypt renewal warnings)';